Link to home
Create AccountLog in
Avatar of hellosoft
hellosoftFlag for India

asked on

Resolving Vulnerability


i am running vulnerability scanning against my Exchange OWA, which is installed on Windows server 2008 R2 SP1 X64 bit and Hosted via TMG.

i am getting getting following vulnerability . i tried several ways to resolve but, none of them workded.

33929 - PCI DSS compliance Synopsis
Nessus has determined that this host is NOT COMPLIANT with the PCI DSS requirements.
The remote web server is vulnerable to cross-site scripting (XSS) attacks, implements old SSL2.0 cryptography, runs obsolete software, or is affected by dangerous vulnerabilities (CVSS base score >= 4). If you are conducting this scan through the Nessus Perimeter Service Plugin, and if you disagree with the results, you may submit this report by clicking on 'Submit for PCI Validation' and dispute the findings through our web interface.
See Also
Risk Factor
Plugin Information:
Publication date: 2008/08/07, Modification date: 2012/04/27
Ports tcp/0
+ Some services implement SSL 2.0. + A medium risk flaw was found. See :

Please help me out.

Avatar of skullnobrains

you probably should not care at all, but nessus would definitely be happier if you upated IIS, and possibly the OS as well
Avatar of hellosoft


Our Organization policy is to clear all such vulnerabilities.

if i update IIS on Exchange server hosted machine will it effect any thing .

Automated tools... close to useless in indetifying real problems.

If you want to pass this test that proves nothing, then disable the protcol in the registry.

Thanks Simon,

but it also not working here.

stick a reverse-proxy in front of your exchange server. if you need to do an update everytime a vulnerability is discovered in exchange, you can book the next few years of your time.
You are right!
but, right i stick to that Job.

Any solution please .........
don't you have a detailed report that will actually tell what nessus does not like ?

you have an available patch for XSS issues here

you may also want to read this

anyway, first step would be to apply updates (IIS, exchange and windows)
you can see the detailed output given by nessus in my post.

Thanks for the links. let you know once i check those.

i think you really need to change a few things in your company

1) make them understand that vulnerability scanners need to be run and interpreted by professionnals. the PCI DSS standards are mostly a foolish set of dumb pseudo-security rules that do not even actually cover the basics. there is no reason why they would apply to OWA in any way, unless you store credit card information in your email, meaning you really have other problems to solve

2) make them understand that tools that tell there is a vulnerability without saying which one precisely are useless at best, and lie most of the time. in your case, XSS is known to apply to exchange, SSLv2 applies to nothing because any browser that support SSLv3 (ie any browser that supports SSL) will negotiate SSLv3 anyway, CVSS scoring is useless when you do not know what it applies to, and older software does not mean less secure software.

3) most likely, your exchange server is open to the internet and running under an administrator account. if such crazily insecure practice exist in your company, they need to listen to professionnals (i guess you can be the one) instead of relying on automated software.

i'd be glad to help you with your problem directly, but basically, either an update will solve it and you probably already tried, or removing SSLv2 support will, and i know you already tried, or you just will have to wait for a possible patch. but to make things clear, any webmail has to do a little XSS in order to work properly.

i do not know what is detected by nessus, but it may well be impossible to correct if you need to maintain the level of functionalities of exchange the way owa is architectured.

i'm also 100% sure that running an exchange box facing the WAN is insecure by itself whatever patches you may apply

good luck any way

you have given very good information i will keep these points in mind.

What ever you said about PCI DSS is right and i agree that. but, Perimeter Scanners also showing same thing because, we need to satisfy our Clients as well.

i can able to enable SSLv3 and it's not disabling SSLv2 . i tried all possible solutions available on internet and Microsoft postings also such as 

Avatar of skullnobrains

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account